CVE-2025-6199
BaseFortify
Publication date: 2025-06-17
Last updated on: 2025-11-03
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | enterprise_linux | 8.0 |
| gnome | gdkpixbuf | 2.0.0 |
| redhat | enterprise_linux | 6.0 |
| redhat | enterprise_linux | 7.0 |
| redhat | enterprise_linux | 9.0 |
| redhat | enterprise_linux | 10.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-NVD-CWE-noinfo |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a flaw in the GIF parser of the GdkPixbuf library's LZW decoder. When the decoder encounters an invalid symbol during decompression, it incorrectly sets the output size to the full buffer length instead of the actual number of bytes written. This causes uninitialized parts of the memory buffer to be included in the output image, potentially leaking arbitrary memory contents. [1]
How can this vulnerability impact me? :
The vulnerability can lead to the leakage of uninitialized heap memory contents when processing specially crafted GIF images. This means that sensitive or arbitrary memory data could be exposed through the output image buffer, potentially revealing information that should remain private. The impact is considered low severity. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the GdkPixbuf library to a version where this flaw is fixed. Avoid processing untrusted or specially crafted GIF images with the affected GdkPixbuf versions. Since the vulnerability is in the GIF LZW decoder, applying security patches provided by your Linux distribution or the GdkPixbuf maintainers is recommended. [1]